# s^2 Web Server

(This is a works in progress, details are in flux and possibly
unimplemented.)

s^2 Web Server, short for The Speculatively Secure Web Server, allows
for serving a manually crafted (HTML, CSS, JS, images, videos) website.
It has an optional control panel for remote configuration.

PHP and others may be used via FastCGI. Their security guarantees may be
different from s^2 core.

## Control panel

- [ ] uploading and downloading documents
- [ ] setting up accounts and groups
- [ ] configuring regions that require special permissions
- [ ] redirects
- [ ] viewing load statistics
- [ ] external storage, local file system or an SQL database
- [ ] restricting scripting (JS, also CSS in IE)
- [ ] restricting loading of external resources
- [ ] restricting allowed file types

## Short-term TODO

- [ ] HTTP/1.1 Hello World!
- [ ] serve files from the filesystem
- [ ] migration to different instances
- [ ] HTTPS
- [ ] WebDAV (with hardcoded credentials)

## Longer-term TODO

- [ ] documents from SQL databases
- [ ] migration to other machines
- [ ] transparent compression of text
- [ ] HTTP/1.0
- [ ] HTTP/2
- [ ] HTTP/3, once it is out
- [ ] HTTPS
- [ ] optional append-only audit log
  - [ ] for account setup
  - [ ] for region setup
  - [ ] for redirect configuration
  - [ ] for restricting scripting
  - [ ] for restricting external resources
  - [ ] for storage configuration
- [ ] automatic back-ups (external media must still be inserted manually)
  - [ ] with checksums
  - [ ] signed
  - [ ] encrypted
- [ ] automatic Let's Encrypt HTTPS certificates
- [ ] special handling of suspect requests
  - [ ] non-existent, vulnerable locations, e.g. wp-login.php)
  - [ ] paths containing '/../'
  - [ ] others
  - [ ] logging of IP
- [ ] secure authentication
  - [ ] optional two-factor authentication
  - [ ] hashed and salted passphrases
  - [ ] minimal passphrase lengths
        (Resource: password rules on codinghorror.com)
  - [ ] encrypted with a key only known to the authentication daemon
  - [ ] signed, without replay attacks (e.g. using a Merkle tree) (?)
  - [ ] allow changing keys
- [ ] allow untrusted storage (?)
- [ ] isolated authentication daemon
- [ ] sandboxed
- [ ] load statistics
- [ ] test cases

## Some development resources

- Additional HTTP Status Codes: RFC 6585
- Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing: RFC 7230
- Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content: RFC 7231
- Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests: RFC 7232
- Hypertext Transfer Protocol (HTTP/1.1): Range Requests: RFC 7233
- Hypertext Transfer Protocol (HTTP/1.1): Caching: RFC 7234
- Hypertext Transfer Protocol (HTTP/1.1): Authentication: RFC 7235

## Legal stuff

Copyright (C) 2018 Ariadne Devos

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
